Responsible disclosure is a burning issue it the world of software and security. If a security flaw is discovered by a researcher (sometimes called a hacker) what are the responsible actions the discoverer should take? There was a time when many security flaws were just published willy-nilly to a mail list or website. Researchers sought the fame and glory of being the first to uncover a serious flaw in Microsoft, Adobe, or a network firewall.
Overtime a set of behaviors became the norm:
1.Notify the software provider
2.Wait a reasonable time
3.Disclose
Vendors have encouraged this behavior by publicizing the names or identities of the researchers who report a security bug, and even pay bounties for responsibly disclosed bugs.
Bad guys like cyber criminals and certain intelligence agencies do not disclose at all. They exploit. A so-called zero-day vulnerability is too valuable to them.
Open source software projects have a continuous process for reporting and fixing bugs. The dis-jointed communities of developers like that of OpenSSL, work continuously to address flaws.
Was the potentially devastating Heartbeat bug disclosed properly? You decide.
An abridged timeline of events is:
Friday, March 21 (or before): Neel Mehta of Google Security discovers Heartbleed vulnerability.
Monday, March 31 or before: Cloudflare patches for the bug
Wednesday, April 2: Finnish IT security testing firm Codenomicon separately discovers the same bug.
Monday, April 7 ~13:13 – Most of the world finds out about the issue through heartbleed.com.
There was quite a bit of back and forth within the open source community in the short two weeks from discovery to public disclosure. See the complete timeline put together by Fairfax Media.
My take is yes, considering the severity and the complications, Google and Codenomicon could not have done much better.
For a discussion of this and other issues around Heartbleed join me tomorrow, April 17 at 11:00 AM Eastern (GMT -5) when I ask Lance James, Head of Cyber Intelligence at Deloitte, about responsible disclosure and just how bad is the blood loss from Heartbleed.